SciPost Code Repository

Skip to content
Snippets Groups Projects
Commit 7e26e01a authored by George Katsikas's avatar George Katsikas :goat:
Browse files

fix: :passport_control: fix wrong add notes permission check

parent e6706632
No related branches found
No related tags found
No related merge requests found
...@@ -6,12 +6,13 @@ from django.db.models import Q ...@@ -6,12 +6,13 @@ from django.db.models import Q
from django.shortcuts import HttpResponse from django.shortcuts import HttpResponse
from django.template.response import TemplateResponse from django.template.response import TemplateResponse
from scipost.permissions import HTMXResponse from scipost.permissions import HTMXResponse, permission_required_htmx
from .models import Note from .models import Note
from .forms import NoteForm from .forms import NoteForm
@permission_required_htmx("scipost.can_add_notes")
def _hx_note_create_form(request, regarding_content_type, regarding_object_id): def _hx_note_create_form(request, regarding_content_type, regarding_object_id):
regarding_content_type = ContentType.objects.get_for_id(regarding_content_type) regarding_content_type = ContentType.objects.get_for_id(regarding_content_type)
form = NoteForm( form = NoteForm(
...@@ -45,9 +46,7 @@ def _hx_note_delete(request, pk): ...@@ -45,9 +46,7 @@ def _hx_note_delete(request, pk):
note.delete() note.delete()
return HttpResponse() return HttpResponse()
else: else:
response = HTMXResponse( response = HTMXResponse("You are not the author of this note.", tag="danger")
"You are not the author of this note.", tag="danger"
)
response["HX-Trigger"] = "notes-updated" response["HX-Trigger"] = "notes-updated"
return response return response
...@@ -62,7 +61,7 @@ def _hx_notes_list(request, regarding_content_type, regarding_object_id): ...@@ -62,7 +61,7 @@ def _hx_notes_list(request, regarding_content_type, regarding_object_id):
) )
# Handle permission checks for viewing and creating notes # Handle permission checks for viewing and creating notes
can_create_notes = request.user.has_perm("pins.can_add_notes") can_create_notes = request.user.has_perm("scipost.can_add_notes")
# Filter according to the visibility of the notes # Filter according to the visibility of the notes
notes = notes.visible_to(request.user, object.__class__) notes = notes.visible_to(request.user, object.__class__)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment